Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Bar Chart Drilldown To Dynamically Generate Event Query

OrionCulver
Explorer
‎11-09-2023 12:00 PM

Hi,
I have bar chart powered by a query that uses an eval case pattern to group events into apps.  e.g.,

index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
| eval AppName = case(
(SourceName="Foo" AND Message="*Bar*"), "app1",
(SourceName="Foo"), "app2",
(source="Mtn" AND 'Properties.Service'="Barf"), "app3",
(SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")), "app4",
)
| stats count as ErrorCount by AppName

What I'd like to do is have each bar, when clicked, open a new window that shows the events corresponding to the app.  e.g., for the above example, the queries would be:

index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Foo" AND Message="*Bar*")


index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Foo")


index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(source="Mtn" AND 'Properties.Service'="Barf")


index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*"))

The problem I am having is how to make the drilldown xml node function thusly.  I thought I could use conditional tokens, but when condition nodes are in the drilldown node, I get an error saying "link cannot be condition", even though the link node is the last sibling of all the condition nodes.

Please help!

Thanks,

Orion

Labels (1)
Labels
0 Karma
Reply

OrionCulver
Explorer
‎11-14-2023 05:44 AM

<bump>

0 Karma
Reply

OrionCulver
Explorer
‎11-09-2023 12:29 PM

Apparently, the link node needs to be in every condition node.  is there a better way to do this?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...